Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Posted
by
jamie
on Monday April 09, 2001 @05:07PMfrom the didn't-see-that-one-coming dept.

NAI Labs, a division of PGP Security, just sent out a
press release
announcing that they're "joining with the National Security Agency (NSA) and its other partners to further develop the NSA's Security-Enhanced Linux
(SELinux)
prototype." Wow.

that Yes, the NSA does care about national security, but is far less concerned with tracking an individual user. I think I know something about them, as my current employer is an ex NSA agent who worked closely with the DoD on DARPAnet. He is one of the foudners of the Internet, and just looking in his eyes you can almost tell this. Anyway...

They can't put backdoors in Linux because we'd catch them and then have a national scare as proof poured out that the NSA is definately trying to spy on us. Strike 1.

Backdoors *can* be put in NAI PGP. But you ARE using Werner Koch's GPL'd GNU Privacy Guard (GPG) for crypto, right? Strike 2.

If you want crypto in the kernel, go to kerneli.org and grab the international patch. The 2.4.0 patch will work even up to 2.4.2. You can make encrypted loopback filesystems using very strong alogithms. IOW, it's been done. Strike 3.

The NSA is only trying to improve security in other parts of the kernel, and PGP is probably the strongest way to do it right now. Folks, this is a Good Thing(tm).

It's actually refreshing to see people like PGP who have traditionally been at the forefront of providing encryption to the masses working with a place like the NSA. This could mean a lot of good things for Joe User. I personally can't think of any company I'd like working with NSA more than PGP.

PGP is just an all around good company, and I'm sure their participation on this project will only make it better for everyone involved.

there's another possibility which doesn't seem to have been considered often: a troll that managed to get mod points, post under another account (eg, ac), then mod up that post. All for the purpose of wasting other moderators' mod points. (a troll post at +2 will waste more mod points than one at +1 or 0 and +5 even more (though how it would get there in the first place boggles the mind)).

To paraphrase JWZ, the NSA have the r00t password to the constitution. There is no legal defence against the national interest.

On the other hand, if Microsoft finds something they don't like (anything that violates their liscencing agreements)

Ah, there we differ. I pay for all the commercial software I use (actually, that's not true; it would be more accurate to say that I only use commercial software that someone has paid for, for example a company). If you get caught for it, you just pay up and it's settled.

No, what I'm worried about is information that may be politically or socially unacceptable to the government. What would Thoreau have done?

www.lids.org [lids.org]
Very nice implementation of MAC. Not as flexible as the NSA's scheme but it's useable right now and greatly limits the amount of damage an intruder with root access can do. Highly recommended for any system.

Nice deal, but not very big. Consider that it's 1.2M for two year project.. 600k/year pays for perhaps two programmers (100-120k salaries * 5-6 for other costs and profit). Or a top-notch researcher working part-time in the project. Or something between - the most likely choice.

Without the specifics of the deal, it's of course hard to say, but as it's about Linux security and cryptography commercial/NSA joint project and, from reading the press release, there are more partners in this project, the total impact is likely to be big.

However, I don't remember if mandatory access control framework was generally accepted as a target for 2.5 development by the kernel guys. And, being a big change, I think it's either one of the main targets, or it's going to wait for the next development cycle. Which might fit nicely for the 2-year project deadline;)

Fortunately, unless the NSA does their own distribution, other folks can review their code looking for backdoors. And besides, would you take a distribution from the NSA? They'd probably reintroduce the old trusted compiler [neca.com] hack, where the binary for the compiler inserts backdoor code into the login program, and new versions of the compiler. A more modern implementation could just do calls to listen(), so every network server automatcially gets a backdoor...

Computing is the only field in which we consider
adding a wing to the building to be maintenance.

And how would he have been able to increase the security of all the Linux systems on the net by trying to make another, much more seldomly used and already pretty secure operating system even more secure?

It's certainly a new (is that, gnu?) world out there. This does raise, however, further questions about PGP-via-NAI's security and lack of governmental collusion. One wonders if the talks leading up to this were what spurred Zimmerman to leave to focus on OpenPGP?

While yes, the openness of Linux prevents back doors and such to be put into the source code, it's still possible to have a compiler written that will put in back doors. I believe Ken Thompson demonstrated that in a talk [acm.org] once. And since you can't do anything without a complier (unless you're up for writting assembly by hand.) then there's always a way to get a hole in.
Maybe it's time to have a trust model for compilers?

The NSA has two jobs to do in order to fulfill their mission of protecting the interests of the United States.

The first one is well, invasion of privacy. They need to be able to read the communications of "Bad Guys". Most people on Slashdot are perfectly aware of this role.

The other role, paradoxically, is protection of privacy. They need to prevent the communications of "Good Guys" from being intercepted by the "Bad Guys". Currently, one of the most annoying threats to national security is industrial espionage. Thus it behooves the NSA to provide tools to American citizens and corporations to protect themselves.

Thus you see the NSA fighting encryption by encouraging export restrictions & key escrow schemes on one hand, while simultaneously promoting encryption by working with PGP, and enhancing the security of Linux.

Trying to think how the NSA reconciles those two roles makes my head hurt.

I'm much less worried about their first objective than their second. Does that make me paranoid? Maybe. Can I demonstrate that in the past they have been out to get people? You betcha. You mean this time they promise to be nice? I have some Arizona swampland for you.

Again...WHY would they give the product back? Sure, under the GPL they're supposed to, but you don't think they're worried about getting sued by the EFF, are you? They just have to say "it's classified." Case closed.

I'll tell you why they are doing this. They are providing a robust secure OS that will protect you against everybody except the NSA. How many servers are YOU going to deploy that on? There has never in the history of Earth been a trustworthy government. EVER. Why is this one all of a sudden so cuddly?

Why then would they release that product back to us? That clearly contravenes their second objective.

I submit that it's not possible to examine the product thoroughly enough to ensure that no back doors have been introduced. Surely you don't believe that the NSA is even SLIGHTLY worried about YOUR privacy, do you?

Follow the money. If you can't find the money, follow the power. The NSA is motivated to do this by what they percieve is in the NSA's best interest. I believe that the NSA's best interest has very little to do with my personal liberty and privacy, and therefore I trust them as far as I can throw the Pentagon. This is a huge, obvious Trojan Badger. If you want to let it into your demesnes, feel free. It's terribly naive, however, to think it's a gift.

As soon as their budget sees the light of day and their Secret Operational Mandate is publically debated and their data streams exposed....

Like that'll happen, I wonder how many 'hooks and back-doors' they can hide? I guess it's a fasntasy to think the public could ever have an encryption scheme strong enough to block their eyes anyway...

You know, I've really got to hand it to the NSA. Somewhere, deep in that organization, is an individual who is driving this whole SELinux project, and I think it's safe to say that He's got a clue.

Don't think that it wasn't difficult for the NSA to do what we've seen with SELinux. For an organization who's entire history has been built upon the idea that incognito is good, this movement of opening up and embracing the open source community was certainly hampered by the knee-jerk reaction of middle-managers who can't imagine working openly with private companies, much less thousands of developers worldwide.

Bravo, NSA. And bravo, Mr. Man-behind-the-scenes who's making this happen. My hat's off to you.

I work for NAILabs on projects similar to this one, though I don't currently have ties to this project in particular. NAILabs specializes in contracts like this and the projects are very interesting and fun to work on. Plus, much of the work is often released in open source venues.

Previously, we worked on a publicly available implementation of SNMPv3 (first in net-snmp [net-snmp.org] and then from scratch in opensnmp [opensnmp.com], both of which are BSD copyrighted code).

My next project is targeted to large scale management [ietf.org] of IPsec [ietf.org] installations, the code for which should also be released to the public (though the popular FreeS/Wan [freeswan.org] code base won't accept US patches, so we'll probably be instrumenting Cerberus [nist.gov] instead; FreeS/WAN's loss I guess, otherwise we might have implemented code for them both).

Working on projects like this is great, because it's typically in the form of "here's a hard problem", now "go solve it" without any mention of "do it this way".

Because no matter what else they are, the NSA is still a gov't agency and has more red tape than you can imagine. Just because they are a "black budget" agency doesn't mean they are free from politics.

The people that RUN the agency (like every OTHER gov't agency) are politicians. Remember, George Bush Sr. was Director of the CIA before becoming VP -- a politician. --
Charles E. Hill

Required to comply? Are you joking? Do the words "national security" mean anything to you? They would to the lawyers/judges who were stupid enough to try to even gather evidence of anything they were doing in regards to this. They'd be in a military jail so fast it would make your head spin. --
Charles E. Hill

People have been asking why the NSA would do such a thing and isn't it counter-productive? After all, isn't their objective to get at all the data when they need to?

The cost savings over their current use of "Trusted" OSes has already been mentioned. It probably adds up.

But you are forgetting one thing. Most of the reported vulnerabilities are not in the kernel! They are in associated apps and misconfigured services!

Yes, I know what MACs are and that properly configured they would go a long way towards securing a system.

Guess what? Most people can't properly configure a system now much less understand and properly setup a MAC-based one!

Look at the Top 10 [sans.org] vulnerabilities on the net today and you will see most of them have had fixes/patches for a long time -- they just haven't been applied!

THIS ISN'T GOING TO CHANGE WITH SE LINUX!
If you know what you are doing you can properly configure a pretty damn secure Linux/BSD system -- especially a non-server -- with minimal effort. Combine IPChains/IPTables with Tripwire, Snort, NMAP (to double-check) and don't run any services that aren't absolutely necessary and ANYONE, including the NSA, is going to have a damn hard time getting in to your system.

If you really want to be paranoid -- use different passwords for local-access items (like logging in) and remote-access items (like POP3 e-mail -- which can be easily sniffed); install the International crypto patch [kerneli.org] on your kernel and setup a loopback device to encrypt all your file systems. (BTW: the 2.4.3 Int'l patch is out.)

Professional involvement by the world's largest employer of mathematicians and cryptographers is a good thing.

Why shouldn't I work for the NSA? That a tough one, but I'll take a shot.

Say I'm working at the NSA and somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it, maybe I break it. I'm really happy with myself, because I did my job well.

But maybe that code was the location of some rebel army in North Africa or in the Middle East and once they have that location they bomb the village where the rebel army is hiding. Fifteen hundred people that I never met, never had no problem with, just got killed.

Now the politicians are saying "Oh, send in the Marines to secure the area," because they don't give a shit. It won't be their kid over there getting shot just like it wasn't them when their number got called because they were pulling a tour in the National Guard.

It'll be some kid from Southie over there taking shrapnel in the ass. He comes back to find that the plant he used to work at got exported to the country he just got back from, and the guy that put the shrapnel in his ass got his old job, because he'll work for fifteen cents a day and no bathroom breaks.

Meanwhile he realizes that the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And of course the oil companies use the little skirmish to scare up oil prices. It's a cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon.

They're taking their sweet time bringing the oil back, of course, and maybe they took the liberty of hiring an alcoholic skipper who likes to drink martinis and fucking play slalom with the icebergs. It ain't too long until he hits one, spills the oil, and kills all the sea life in the North Atlantic.

So now my buddy's out of work, he can't afford to drive, so he's walking to the fucking job interviews which sucks because the shrapnel in his ass is giving him chronic hemorrhoids. Meanwhile, he's starving because any time he tries to get a bite to eat the only Blue Plate Special they're serving is North Atlantic Scrod with Quaker State.

So what did I think? I'm holding out for something better.

I figure, fuck it. While I'm at it, I might as well just shoot my buddy in the ass, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard. I could be elected President.

--From "Good Will Hunting" (Matt Damon's character speaking to an NSA recruiter, in a heavy Boston accent)

Remember that the NSA has multiple responsibilities. Specifically, it also has the responsibility to ensure that our (government, contractors) computers aren't compromised by others.

A truly secure COTS OS won't hurt the NSA and FBI too much - they have plenty of other resources available to them. But not many groups will be able to afford the HumInt required to get around NSA/FBI safeguards, if the easy technical backdoors have been eliminated.

Good point. But people using stock distributions would be the most vulnerable, which would really most likely include large corporate installations. They'd get a distribution from vendors, and the vendor contract would probably specify that alterations would fubar the support contract, and a lot of old-school IT guys don't wipe their ass without checking vendor agreements... Which is probably fine for the NSA, since they'd probably rather spy on those folks anyway. Real Administrators would work on their own chain of trust.

On the flip side, actually doing something useful with this hack would be very difficult. It would be too easy to get caught if someone with the right skills goes poking around binaries and finds something amiss. And it's a fair bet that any NSA-blessed code would get such a close look.
It wouldn't be so easy to hide, either. This is much easier with Microsoft OSes, which have such a large amount of undocumented stuff all over teh place that could be linked together.

Who knows, often things are no more complex than they appear. I bet that the NSA has found that it would be much easier to protect themselves and other government agencies if there were a distribution that THEY could trust without the expense of coding it all themselves. With proprietary software, they are at a slight disadvantage in that cat and mouse game. Maybe the _NSAKEY was a Microsoft trick to backdoor the NSA...

But the lesson from the compiler hack is that you can really only trust it if you've examined it yourself. And a secure linux distrubution would undeniably be of very high utility all on it's own to the NSA.

A few years ago, Network Associates gobbled up Trusted Information Systems - the folks who brought you the TIS Firewall Toolkit, and brought me my first job out of grad school. TIS was very cozy with the NSA (founder and many employees were ex-NSA), and did several research projects for them (including the one I worked on, Trusted Mach).

I don't know what the current organizational structure of Network Associates is, but I suspect that NAI labs may be the remains of TIS. I wouldn't be surprised if the NSA came to Network Associates as the result of this relationship.

(In the interests of full disclosure: I'm a Network Associates stockholder.)

they did make some [at the time] incomprehensible changes to the S-Boxes that DES uses for its non-linear component. However, it was later discovered that these changes were 100 beneficial, in that they were specifically designed to protect against differential cryptanalysis (IIRC: if the non-linear transform isn't uniform, the bias can be statistically sampled and used to cut down the search space), that the original design would have been vunerable to.

So, they may move in strange ways, but that is not always against everyone else.

(mind you, at the time, they were possibly the only people who could have afforded to build a brute-forcer, so you could argue that this change WAS to their benefit in the long run)

here is an even simpler solution to all of you conspiracy theorists that are going to say "the NSA is going to visit you in the night" before ever even seeing a bit of code or product (consequently it also is a beautiful excersize of your freedom to choos and use what you desire)...don't use their distro

I expect that I'll get modded down because I am thinking with common sense rather than stating my thought with the grace of the typical knee jerk reaction...*sigh* welcome to slashdot.--------
"Counting in octal is just like counting in decimal--if you don't use your thumbs."

The changes for SELinux have NOTHING to do with the network transport of data! They will in no way make it either easier or harder for the NSA to monitor network traffic!

SELinux is simply about making the data on your machine safe from other processes on your machine. It prevents a program from accessing any resource on the machine it is not cleared for, no matter who the process is running as.

OK, let's put on our paranoid hats <SoundFX type="crinkling aluminum foil"> and try to guess what benefit this has to the NSA: It makes it possible to use Linux in a secure environment. It gives them an OS for which they have source code (I am pretty sure they have the source for Windows(9*|NT|XP|2000) and Solaris, legally aquired), but they have the legal right to modify and distribute. This allows them to secure any government agency's computing resources in a consistant fashion. Remember, part of their job is securing OUR stuff.

Now, I'm sure that if a modification to allow all TCP traffic to be encrypted by default were to be added to normal IPv4, they might have a problem with that, since that would interfere with their normal data gathering operations. BUT, hardening Linux so a Trojan/Malicious user cannot get access to somebody else's stuff is going to make their life EASIER.

Remember, if the NSA wanted what is on your hard drive, they'd just wait till you were out, pick your locks, dd the drive, and leave.

PGPLabs became involved when it hired one of the original NSA people that worked on this project.

I worked at NAILabs and ran couple of NSA sponsored projects there. The funds are coming out R? departments (R == Research). The
only strings attached to these projects are performance related such as making progress, regular status updates, and make results public in source code and/or papers.

NSA has two main missions evesdropping on the world AND PROTECTING US Gov. computer systems and in the second role this project makes lots of sense.

My take is that NSA realizes they have a bad image and are trying to do more DARPA like projects to improve the image. There is nothing sinister about NSA involvement. It is only about a year ago that NSA allowed press releases of projects like this one.

The contract builds upon NSA's prior work in
developing a set of new security controls for the Linux kernel and NAI Labs'
prior work in developing an example security policy configuration for these
controls and several additional kernel controls.

Does anybody know what NSA's prior work on the kernel is? Any pointers, web sites,/. articles,... for the un-initiated?

Finally! Now Linux has some real backing in the industry (well, not really the industry, but the government at least).

Now, this means that the NSA can personally secure the file system, password protection schemes, and so on for all Linux users. Can you imagine the kind of security that Linux can have now?!?!!? Finally, Linux might become a viable online brokerage operating system. The only reason that Windows is still being used is because it's the most secure O/S out there.

I'm looking forward to seeing the new O/S that the NSA will come out with. It should be interesting.

Robert Watson mentioned, in a slashdot interview posted almost three months ago [slashdot.org], that much of the SELinux development was being done by NAI labs, under contract. Is it safe to assume that your tagline was meant in sarcasm, Jamie? =) How is this news, BTW?

Whats up with people with mod points today? I've seen at least one huge troll go up to 4 before it was modded down (though last time I looked it was still "0, Informative" which made me laugh. And now this is "Insightful".

I have to wonder if somehow the folks at/. managed to give out free drugs to people with mod points today. Now that would be an interesting web interface:)

"This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system.

The security mechanisms implemented in the system provide flexible support for a wide range of security policies. They make it possible to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.

There is still much work needed to develop a complete security solution. In addition, due to resource limitations, we have not yet been able to evaluate and optimize the performance of the security mechanisms. Currently, we can only support the x86 architecture and have only been able to test it on Red Hat 6.1 distribution. Nonetheless, we feel we have presented a good starting point to bring valuable security features to Linux. We are looking forward to building upon this work with the Linux community."

This is NOT security fixes of Linux, NOT auditing. It is simply a showcase for how to bolt a more complex security model onto an existing mainstream Open Source OS. The kind of security most normal users DO NOT need in their day-to-day browsing habits. However, I hope the project goes well so that they get more funds to do even more.

All privacy functions within NSA Linux have been removed or disabled, all Internet traffic is cached at NSA headquarters for your convenience, and nearly-anonymous statistics are recorded about you to improve customer service. Any attempt to circumvent these features will result in quiet, painless death in the middle of the night.

The National Security Agency today abandonded its plans to integrate a well-known encryption program into its secure version of Linux. According to an anonymous agent of the NSA, the department was shocked when they read a post on a forum known as Slashdot, that encryption was pointless. [slashdot.org] Said the staffer, "We've decided to forgo even putting this in, cause, whats the point. In fact we're getting out of the code business altogether. That question on Ask Slashdot was a blow to a lot of people who've spent their lives working on encryption, only to learn its pretty much pointless."

All I've read so far are numerous posts about how the NSA will now be able to spy on PGP-encrypted material. Personally, I think this is a load of bullshit. I doubt the NSA needs to ask the people at PGP labs for assistance in cracking this. Either its been cracked (doubtful) or else the NSA has been so impressed by it, that its decided to integrate it into its OS.

Come on, stop being so damn paranoid. Trust me, you're not nearly as intersting to the government as you might think you are.

What better way to protect communcations that with a tried and true operating system that has almost no security holes (at least, it won't after the NSA gets done with it--they'll probably audit every line of code as was done with OpenBSD)? Would you sleep better at night if they were protecting our communications with an operating system made by people who are to incompetent to know how write an e-mail program that doesn't run viruses automatically?

It would be extremely hard to add backdoors to Linux. The code is all Open Source. Under the GNU, the NSA is required by law to release source code modifications to the public. How would they explain a source code modification like, "05/13/01 - Added backdoor code to the TCP stack."?

People are overly paranoid. Just because its the NSA doesn't mean that they're doing this just to add backdoors to Linux. Even if they did, and they somehow manged to get away with it (which is extremely doubtful), it would only be applicable to their distribution. They could always convince Torvalds to let them add it to the kernel as a whole, but do you think all the other kernel hackers wouldn't notice?

I have no doubt that the NSA puts backdoors in Microsoft software, but I also have very little doubt that they will try the same with Linux. An ex-spook even admitted to Microsoft backdoors. Try the same with Open Source software, and you'll have hundreds upon thousands of angry hacker-types banging down your doors. Give the NSA a little more credit.

If anything, this is a step in the right direction for the NSA. They realize that security through obscurity is a poor way to protect systems, and that Linux can provide them with an ultra-secure OS. They can then give this back to the people, and show what years of security and encryption research has produced. I say encourage them. Nothing will make Linux more secure than the US government pumping money and their best security hackers (yes, I mean hackers, not crackers) into the OS. As long as they follow the GNU license, we should see lots of excellent security enhancements in Linux coming soon!

We (as in not I) were responsible for updating many of the GNU utilities to incorporate the MACs and to develop security policies for the applications. From some online briefings, we've gotten through Apache (making CGIs behave and inherit security constraints was apparently difficult), cron and some small GNU utils (cp, kill, ps, tar, mknod, etc.), and we're working on hardening our old friend sendmail and a nice sysadmin policy manager tool.

Actually is that so hard to believe. Part of NSA's charter is to protect the U.S. from similarly chartered organization of foreign countries. Think how much easier this job is for the NSA if they can promote an especially secure O.S. to businesses etc. to prevent the loss of important corporate information. NSA doesn't care about the normal consumer-user, but helping to build a professional user base that puts the secure Linux protects our National Security!

That said, also remember if you're trying to place a back door in software why broadcast that you're the NSA. Why not simply slip it in more subtly.

And finally, this is $1.2 Million for an agency that gets $Billions. Hell it could just simply be to keep a couple of dispirited yet highly valued NSA programmers happy. It's just spare change

I mean, they'd probably rebuild Linux to B1 or better in the Orange Book.

Actually, one of the interesting points that they make is that Orange Book standards are not the be-all end-all of computer security. To quote:

The TCSEC provides a narrow definition of mandatory security which is tightly coupled to the multi-level security policy of the Department
of Defense. This has become the commonly understood definition for mandatory security. However, this definition is insufficient to meet the needs of either the Department of Defense or private industry as it ignores critical properties such as intransitivity and dynamic separation of duty. This paper instead uses the more general notion of mandatory security... in which a mandatory security policy is considered
to be any security policy where the definition of the policy logic and the assignment of security attributes is tightly controlled by a system security policy administrator.

The Orange Book was designed to implement the military's system of data security, but there are other potential security models that depend on mandatory access controls. To take this into account, the NSA researchers designed a much more flexible system in which the kernel implements some very generic mandatory access control structures but the details of the security model are substantially configurable. That means that you can implement an Orange Book B-class security model, but that's not the only security model that's available.

What could possibly motivate them to cooperate with an open source
effort, if not to compromise its security?

Gee, I don't know could it be:

The NSA is chartered to protect the communications security of the United States...

I don't know about you, but I think that pretty clearly covers the idea of new, higher security versions of existing software. Remember that SE Linux isn't really about encryption, but about adding a better security architecture to the system. That means helping to make the system cracker-proof, not making its communications more secure. They still have plenty of room to intercept and decode the other guys' communications even if they can't crack his boxen anymore.

Of course there's still a very serious need to make those systems secure. Not being on the Internet does reduce your risk of being hax0red by skript kiddiez, but being a high profile, high value target attracts other kinds of attackers. You can bet that just about every unfriendly power out there is trying to get access to Intelink, either by infiltrating a mole or suborning someone who already has access. The number of potential attackers may be lower, but their dedication, skill, and support is likely to be a lot higher than random kiddiez.

And, of course, there's more to national security than keeping top secret military secrets from the prying eyes of the baddies. The long term economic health of the country is critical for national security, and that means helping companies that need security to get it. The NYSE, for instance, needs to have a lot of its critical systems exposed to the net, since their whole purpose is to send out critical information. It would be no good at all if they were broken into by morons intent on vandalizing the computers, and really, really bad if they were cracked by somebody with some subtlety and bad intentions, though I'm pretty confident that they're already running something more secure than Apache/Linux or IIS/Win2000. And, of course, that's just one example. Corporate espionage is a real potential problem, as is large scale credit card fraud, both of which could be carried out by cracking the right computers.

It's interesting to note that NAI have been involved for months with the project - see an NSA Press Release from January here [nsa.gov].

An interesting techy overview is available from IBM here.
I'm a serious NSA-paranoid (in 98 I wrote the rhyme: "Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."), but I for one think that NSA 'hardened' Linux is a VERY
good thing....Don't forget that, as well as being dirty spying bastards ,
the NSA (and the rest of the USG) are the largest consumers of secure
computing.

At the moment they pay through the nose for 'hardened' versions of AIX,
Solaris, HP-UX etc. They see that Linux is a 'free' alternative and would
like to cut costs. They see that Linux isn't secure enough (e.g. would
struggle to get c2 rating, let along B*), so they decide to start coding
themselves, adding functionality such as MAC.

Rather than keep the changes themselves, the NSA decide to share the source
code back with the community - this really embraces the Free Software /
Linux philosophy. Any code released will be scrutinized no end - a peer
review of the initial code for example uncovered a potential buffer overflow
vulnerability.

I appreciate that my comments may not be popular with the ultra-paranoid,
but if you can objectively view the facts this development really is a good
thing for Linux. Hell, if you don't want to use the changes, then don't
apply the diffs.

The bottom line: I strongly support NAI in their efforts to further develop
Linux.

That's 1.2 million dollars of government effort. It gets you one project manager who doesn't understand the project, three programmers who are there because they can do no work and not get fired, two programmers who are there bankrolling thier education to the government, one programmer who died at his desk in '79 and nobody's noticed yet, 20 dot matrix printers someone in procurement bought because they're an idiot, five toilet seats, and a ball-peen hammer.

It's actually better than that. Turns out, the NSA had been researching linear cryptanalysis sometime prior to 1977. So, when their designers get together with IBM's, they hand over some very particular S-boxes for the algorithm. Until the work of Shamir et al in the 90s, nobody knew where they'd pulled them from. It was one of those "We can't tell you where we got them, or why you should use them -- just trust us" deals.

So around 1995, linear cryptanalysis is discovered in the non-classified world, and applied to DES. To everyone's great surprise, when you factor in the storage requirements, linear cryptanalyzing DES is almost exactly as hard as brute forcing it, because of the particular structure of the S-boxes.

So sure, the NSA almost certainly wouldn't *tell* us if they knew how to break RSA, but their mandate *is* the security of the US. As such, they have an interest in getting security that works into the hands of Americans (business in particular, you might notice from the press release -- same reasoning behind designing DES so strong).

I believe, backdoors notwithstanding, that the NSA port of Linux has great potential. I mean, they'd probably rebuild Linux to B1 or better in the Orange Book. (This puts it in the same class as BSDi (I believe), Trusted Irix, and other Unixes with high security standards.) Manditory Access Controls are made stronger, Access Control Lists are part of the OS, probably paranoia levels of logging, good crypto. Good times.

For those of you who are concerned about this port, pay close attention to this next line.

GPL/OSS's strength is in the availablity of source which can be audited.

For those of you cryptonauts and paranoids who don't quite know C (present company included), you've a very good reason to learn. Reading the multitudinous (ooh! big word!) kilos and megs of kernel source ain't my idea of a great vacation, but the results of the extensive audit will be worth it. (B1 operating systems are, shall we say, DAMNED hard nuts to crack.)

If that's not enough, there's an article (name, site, and url escape me) where Linus says that audited parts of the NSA port may well be injected into the source tree.

From the mouth of Robert Steele, former CIA spook and runner of OSS.net (Open Source Secrets), a site which offers information to businesses and others on open information which is encoded in that most hard to crack of codes, other languages:

"The Morris Worm was the worst thing to happen to the CIA, because then system administrators looked for all those cracks in security!"

This (infiltrating the linux community through the prebuilt compiler or even kernel) would actually work to a certain extent with the current Linux community. How many of you are running a home-compiled kernel? [OK, lots] Now keep your hands up if you are running a kernel you comlpiled with a compiler you compiled. [most hands go down.] What kernel were you running when you compiled the compiler? And what compiler did you use on that kernel?

The mechanism for complete infection would not be there, though, since there would be plenty of people and distros out there that would begin to track and maintain the purity of the lineage of their compilers and kernels, but the NSA could get a foothold into the more promiscuous script kiddies community, which they have some incentive to do anyway.

Actually, I was thinking about open-source revealing any potential backdoors, and I think it ain't necessarily so. Remember that the NSA employs a high percentage of the math PhDs in this country. Some of their odd design choices for the DES were not explained and raised some speculation that they might have an obscure way to crack it that no one else had discovered (I believe it was Schneier in Applied Cryptography that raised this issue to my attention).

Although they have a reason to want the net to be unhackable, they also have a reason to be the exception. Given the brainpower they have, they could conceivably know something we don't. Beware of algorithms you don't understand.

Before the Slashdot effect kicks in and everyone starts screaming about back doors lets look at the facts. 1.2 million dollars will be pumped into the development of Linux. That's quite a few man-hours that will be contributed to an open source project to enhance its security and capabilities.

Now lets look at other times a joint commercial/NSA endeavor has taken place, DES. The standard was published in January 1977 and no major cryptographic break has been discovered yet save brute force (I hardly consider linear cryptanalysis a real threat).

Personally I am a little more worried about NAI's involvement than the NSA's .

The NSA has always been so close-doored about exactly what it does and doesn't know in the crypto field, it has a lot of public domain cryptography experts wondering whether all their hard work is actually in any way useful, or whether the NSA is so much further ahead of them that they're just wanking - to use the parlance of our times.

Its interesting to me then that the NSA has chosen to partner with NAI on this, it seems to give some very strong support to the belief that public domain cryptography is at least as good as NSA level stuff.

Of course it could all be a massive ruse to put us poor saps off guard - but honestly I'm not willing to go that paranoid today. any takers?

Doesn't publishing the source kind of make it meaningless to incorporate monitoring features?
Somebody out there will find the monitoring features pretty quick, and then nobody will use your code. Somehow I think the NSA is a bit smarter than that.

Its nice to see companies joining to assist the NSA, however I would never install it, for paranoia reasons. Aside from that its not all that. (read this [ibm.com] to back those claims and we can't forget its first security incident [ox.ac.uk])

Its a nice idea, but ask yourself this question... The NSA could have done this a long time ago, why now? With the rising amount of cybercrime, one would think that, _THAT_ would be their motives however, if that were the case they would be strong opponents of crypto for the masses, so why one and not the other?

So again jumping into the paranoia stage, could it be because the typical script kiddiot is using various forms, of Linux, this could be a method to monitor them? If so how do corporations who use this (SELin) fall into the muck of it all, what about employees of the NSA, and NAI, if they were capturing data, that could affect stock markets, integrity of people, confidence. Total PR nightmare...

Anyways it is nice to see a secure (for now) OS on the market, but as for me... I'd take Open over SELinux anytime.

Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity

Maybe not this time. If you consider the vulnerability of the IT infrastructure to various modes of attack and the damage this could do to the USA, it's entirely possible that the NSA is absolutely serious about trying to help people lock down their systems. Look at it this way; if the NSA can't figure an automated crack against the systems, it's unlikely that an enemy could either. This radically reduces the possible damage.

Leaving a backdoor in would be pretty stupid, because the impact (to the nation and the NSA itself) if it was found and exploited would be enormous. You may think of the NSA as a bunch of goons, but they do have a sense of self-preservation; they'd have to be suicidal to do what you're proposing.--

Somebody busted his hump to get his boss at NSA to let him work on Linux. Said person then busted his hump even further to get his boss to actually allow the release of the source code. What, you think it was easy to get the NSA to release the source code?

I can only imagine how many levels of authorization this poor guy had to go through to get permission to release the source code. Can you even begin to imagine the hell he went through for our benefit?

And as his reward, this poor soul now gets a bunch of idiots screaming about the NSA trying to break Linux's security. If he ever gets invited to speak at a conference, he'll probably be booed off the stage for his efforts.

The paranoid are going to think that SELinux is in some way compromised by the NSA, no matter how unrealistic it seems (paranoia is an irrational by definition, after all). However, this leaves you with one more question: Who would you rather have access to your information, the NSA, or Microsoft? U. S. citizens at least have the option of complaining to Congress, taking them to court, et al. Microsoft, on the other hand, has a habit of negating all your legal rights through their liscening scheme. Just look at the recent Passport fiasco.

The NSA has to worry about the GAO breathing down their necks and the CIA, DIA, and FBI competing with them in some things. Microsoft is a monopoly. Who's going to be the one to worry more about the end-user?

If the NSA has to be working with an operating system, I'd prefer it to be Linux. Even if they were to put in back doors, at least the users have the legal right to look at the source code and try to find it and fix it. And I can almost guarentee that anything that has the NSA stamp of approval on it will be rigorously tested by the community, if for no other reason than because it says "NSA" on it.

Rather than keep the changes themselves, the NSA decide to share the source code back with the community - this really embraces the Free Software / Linux philosophy.

Actually, the Linux GPL requires them to make the modifications available under GPL. They are not symbolically embracing "Free Software / Linux philosophy"; they are simply complying with the licensing agreement.